Im a beginner in decrypting SSL traffic but im able to decrypt normal client to server SSL traffic. The problem im encountering is when I try to decrypt SSL traffic bridged from an F5 to the Server. I was expecting the F5 to just re-established the connection in the same method as a client to the F5.
All I see are:
What I normally see is:
The purpose of this is I want to diagnose encrypted health checks to see why they failing. Any Ideas? Thanks for your Help.
The difference in the SSL Handshake is caused by the fact that the F5 reuses the initial full SSL handshake to the server and therefor only uses a short handshake to the server to not overload it. That's why you don't see the ClientKeyExchange message. And because you don't have the ClientKeyExchange, you can't do decryption.
You can change the ServerSSL profile to not cache SSL sessions for troubleshooting purposes. But beware that this will increase the CPU load on the server as each SSL session from the F5 to the server will now need to do a full SSL handshake which is very CPU intensive.
answered 11 Jul '12, 04:17
That's not the case. It depends on the settings in th "client ssl profile" (frontend) and the "sever ssl profile" (backend).
If you want to decrypt the SSL/TLS session between the loadbalancer and the nodes, you need to have the private key, installed on the nodes, unless it's the same as the one installed on the load balancer. Furthermore, you must ensure, that the loadbalancer is NOT using any SSL/TLS ciphers with DH (Diffie Hellman) authentication, as you cannot decrypt that. You need to change the CIPHERS in the "server ssl profile" (the one you configured for the virtual server). See the F5 SOL13171.
answered 11 Jul '12, 03:42
Kurt Knochner ♦